"This is the first really big attack on Macs,"
So... it was a Big Mac Attack?
Apple, Facebook and "hundreds of other companies" have had their Mac computers hacked in a sophisticated campaign mounted by an unknown adversary. Attackers were able to infect Apple, along with other businesses around the world with Mac malware delivered via a Java zero-day vulnerability, Reuters reported on Tuesday, after …
So... it was a Big Mac Attack?
No, that happened over at Burger Kings twitter feed.
Mac OS-X, over 1800 vulnerabilities and counting. That's 4 times more than windows XP and almost as bad a Linux dsitribution! And Mac users generally don't have antivirus wrapped round their Swiss Cheese of an OS either....
Mutter mutter, something about horses, *jazz hands*
GNU/Linux is developed in the open, so it will look like they have many bugs as one can see them all. Some bug won't even be a GNU or Linux issue, they'll be integration issues for a particular distro. Also, many of these bugs will be duplicates as various distros have a bug reported to them (a new ticket) which then gets filed with upstream (might be a new ticket, might join an existing one). This is before we get into the severity of said bugs. The projects are co-operative units, not closed and secretive monoliths like Apple and MS.
MS is cagey about what bugs they have and their publicly known list is probably a subset of the true picture.
I would have expected Apple to be the same if not even more anti-open, but as you cite no sources I guess we will just have to take what you say with a very large pinch of salt.
As for anti-virus - all PCs should run anti-virus, if only to protect Windows from itself.
The total of 1800 is only referring to security vulnerabilities - not integration issues or other bugs . Like it or not, Linux distributions tend to have the highest vulnerability totals of any OSs. Even the Linux kernel alone has over 900 known vulnerabilities - about twice the total of the whole of Windows XP!
I'll type this slowly. Publicly admitted. And I find it funny you ate comparing a dead OS to a living kernel which supports more hardware, more filesystems, more...
XP is still on extended support - http://windows.microsoft.com/en-US/windows/products/lifecycle
Indeed it would seem to be pretty widely used still - http://en.wikipedia.org/wiki/Usage_share_of_operating_systems
It dies (or is currently expected to) next year. It's no longer sold. That is so close to "dead" as makes no odds.
Just because idiots still usr IE6 does not make it any less dead either.
Comparing XP (developed in secret and near EOL) to the Linux kernel 3.8 (developed in public and still living) is not comparing like with like.
Boy, am I glad I ditched Java a few years ago. I haven't missed it either.
Boy, am I glad I ditched OS-X a few years ago. I haven't missed it either.
For a moment there I thought I was at risk then I realised I removed Java years ago when I realised I didn't need it any more.
Java on the server is fine.
Java on the client would be fine if it wasn't managed by Oracle.
Yes, makes me glad i run Windows....
Sorry but OS9 is far better to ditch than OSX
No....No, their MUST be some mistake. Macs are immune to such things, remember? Jobs said so.
So did that nice looking young man in the commercial: http://www.youtube.com/watch?v=M3Z386vXrt4
There's a difference between malware or viruses and a very co-ordinated hack attempt.
Yes, the difference is what you call it. Basically you got p0wned...
now he is dead his reality distortion field is no longer protecting Apple
Not just Jobs, millions of fanois said so too!
Macs are invulnerable, most secure computers, etc, etc.....
Yeah I poke a sharp stick at the fanbois about this on another page, but in general Macs really are more secure than Windows. Which is what makes this such a complete clusterfuck - it was an obvious hole even Windows fanbois saw it coming.
The bigger problem now is, Apple's a big company and it took them too long to find this. Given that the kernel is built on an OSS *nix core, have the hackers also been able to penetrate other *nix distributions/installs which have so far gone undetected? Given that we know neither what changes Apple made to the core nor enough details of the attack for your typical admin to check for the malware on his systems (beyond: are you running Java, which like it or not most business do) it's a bit unsettling. Gut says most of those systems are still secure (greater variety, admins tend to be more security aware, lower desktop distribution), but the brain wants proof and it can't get it.
Merkins need a credible "cyber"-threat so that they pass CISPA more easily - that's why the fingers are pointing at CPLA.
Article to deflect attention to Google or Samsung in three...two...one...
So press headlines let Apple know big players are getting hit, then Apple says "disable Java" for a cure all fix, then Apple only decides to issue a fix AFTER they too have been affected?
Apparently security and code auditing is a burden for "IT Artists". No matter, it does explain where a large chunk of their cash pile has come from...lax security.
OFF TOPIC: Does Apple have to hire BSD/Linux guru's to fix their system? Or do they have a security team?
Er, no. They disabled older versions of the Java plug-in as there was a known exploit (however the new version of the Java plug-in wasn't yet released to java.com when they updated the blocklist meaning for a while all Java plug-ins were blocked) and they disabled this malware when they had a signature for it.
ISTR that Apple do not let a vanilla Java distribution go straight to Macs. They take the new version, wave a magic cat over it for a few weeks (or whatever it is they do) and then release their approved version, now with more fruit.
I guess someone's spotted that Macs are the target of choice for Java vulns, as they're likely to have their knickers down for rather longer than other platforms, due to this delay while the wizards of Cupertino scry their runes.
Here's an article that describes where to look on your mac to see if it's got the malware. Apparently the site that was hacked to distribute the malware was a "mobile developers website"
They're suggesting that the idea was to allow them to inject malicious code into the code being developed for mobiles, rather than trying to hack mobiles directly.
With the sequester looming the goons over at DARPA are making sure that the Nation knows just how important it is to invest in cyber-espionage. Just imagine what the PLA could do with all those LoLCats pictures, or, heaven forfend, actually bring down the LoLCats servers!
Everyone who visited the site with a vulnerable configuration got hacked... whether it was a Facebook or Apple engineer, or someone's granny who was there accidentally looking for mobility aids....
This appears to be the new thing.... we are gradually becoming crap so we make out that dangerous people are out to get us to make us appear sexy again!
All it shows is that Apple and Facebook developers need as much help as everyone else from the internet to do their jobs...
This being a Java exploit, it affects everyone who still has Java enabled under any OS - Windows, Linux, FreeBSD, etc - not just those running Mac OS X.
Let's see who admits being attacked next.
No, if the vulnerability is used to download and run native code - as it looks, the attack was targeted at Macs, not anyone running Java.
No, all old java code, possibly new stuff too although hopefully Oracle fixed it. The attack detailed here is specific to the Mac, and the Macs had a particular affinity for it since Apple hadn't updated the code. But the vulnerability itself was in Java. Once you've got the Java exploit worked out, you can engineer other attacks on other systems. Put those attacks at different locations and you get multiple feeders. Then people going 'it's just a Mac attack' or 'it's just a Windows attack' will ignore their own vulnerabilities allowing your malware to spread further. If I were a State sponsor of cyber attacks, it's certainly the route I'd go. Thankfully for the world I'm just a help desk monkey and slightly dyslexic so math and I don't get along as well as I'd like.
Apple (or Microsoft) can't really be blamed for security vulnerabilities in third-party software, Adobe Flash and Java being egregious culprits.
That's why I disable Flash and Java in my primary browser (Chrome) and only have them enabled on my secondary browser (Safari) that I use to visit sites that absolutely require either, and then only under duress (normally I will just ditch a site that requires Flash or Java, or won't work with cookies disabled, as that is not acceptable in the 21st century). I also make sure the bug-ridden Adobe Reader never makes it onto my computers.
The best approach would be for browsers to run all plugins in a virtualized sandbox where they cannot do any harm, but the engineering effort to do something like this would be daunting, essentially duplicating the functionality of VMware, and non-portable to boot.
They don't make it easy though.
Disable Java in chrome
Click the little iching symbol on the toolbar - well the three horizontal lines that means 'heaven' or settings
The select settings
Then click the show advanced settings link
Then click the content settings button (hint this is the one that is a heading not a link)
Then scroll down to plug-ins in the popup window
The click the disable individual plugins link (we are back to links now)
Then find Java and click disable
To quote Douglas Adams .... Have you ever thought of going into advertising ?
How about just doing this instead..
1) Type chrome://plugins into url bar,
2) Click on "disable" beside the java plugin
So long as it remains third party software that is completely under control of the users, yes. Make it part of the OS and not something the user can fix and that changes to a big fat NO.
Presumably because they're all too busy dressing up as Munchkins for a corporate rendition of "Ding Dong the Witch is dead." from "The Wizard of Oz".
Well it would be a tad embarrassing if MS had to admit they'd been hacked too. As that would be tantamount* to admitting they do their developing on Macs...
I wonder if MS will now send a nice present to Oracle. Perhaps a new yacht for Larry, with a pirate flag with an apple impaled on the top of the pole.
...and ship the perps off to prison for 15 years.
Mac, Linux etc - anything based on Unix is just utter horsetripe compared to the years of honing Microsoft have done on developing a secure modern kernel. Windows 8 is the pinnacle of that, and those of us who run it are deeply happy and safe in the knowledge that there are no threats out there that can touch us.
Great to see someone sticking up for Windows 8. Except in this case, it was a Java 0-day. Or are you saying Win8 can block JVM holes?
Windows 8 employs a sophisticated AEFU layer (Anti-Ellison-F**K-Up - sorry Larry it's under your watch now) which sniffs out JVM holes and blocks them by injecting incredibly elegant java classes which intercept miscreants and route the badness into the ether via JNI. *Only* the geniuses at Microsoft can write code like that.
He means Windows 8 can't run Java. Or, rather, Internet Explorer 10 in Windows Store mode doesn't run browser plug-ins, except for the Adobe Flash plug-in. Zero-days and all.
Java, Flash, and many other protocols that run in a web browser or handle downloaded files and also have access to the desktop system are potential holes in your computer security colander, I mean cordon. No, I was right with colander. But it's also true of documents for Microsoft Orifice. That's why those tools have to be patched as well. And it's true of WebGPUsr whatever that's called. Giving the Internet access to your graphics hardware is awfully unwise.
If these things need to be done, then they should be done for selected highly trusted web sites only. Or for no web sites. You can run Java and Flash as separate desktop applications with useful results.
Linux has security flaws
OS-X has security flaws
Windows has security flaws
Unless an operating system kernal is locked/controlled to such an extent that the user cannot run or perform any task not explictly defined by the original development then there will still be flaws, and even then I wouldn't garuantee it would be 100% secure from any future attacks
And that's the point, it's all a balance between security and functionality. Mainframes are more secure because the only tasks allowed have been pre-defined. Personal computers are designed to let users have as much functionality/flexibility as possible.
Now you need to be careful RainForestGuppy - there's no place for a reasoned, common sense, point on El Reg.
It should be a foaming-at-the-mouth rant against whichever OS/phone/slablet device and/or manufacturer you don't personally support!
Hmmm mainframes are probably more secure because you don't use them to browse sites on the internet.
sudo killall -9 Autopilot